Industry of Anonymity

August 5, 2015

All’s Fair in Love and War?

As someone who studies trust among cybercriminals, I often field queries from the curious about what factors disrupt cooperation among online criminals. Until a recent visit to Eastern Europe, one element I hadn’t considered was the significant role that political animosity might play in damaging relationships. My visit to the region made clear that the war in eastern Ukraine is leading to a number of unexpected consequences in the cybercrime sphere, sowing the seeds of distrust among certain players in the Russian-speaking “scene”.

This was an issue raised by a number of local researchers I met with, who go “undercover” and monitor the key Russian-speaking marketplaces. In the past, most Eastern European actors rarely expressed their political views. But recent events have seen a shift. With the conflict simmering on the ground, a number of “flame wars” have developed online, between those broadly in support of Russia and those against it. This has damaged cooperation and led to the breakdown of some long-term and trusting partnerships. Some forums have even had to bring in and enforce rules against political discussion. Max Goncharov’s new report on the Russian underground suggests similar developments as a result of the Ukrainian conflict: fights between forum members with some even being banned or retreating into exile.

In order to understand the significance of these developments, it is important to note that the Russian underground is not actually Russian. It is merely Russian-speaking. While Russian nationals play a key role, and some may have a sense of centrality or superiority, cybercriminals from countries like Ukraine, Belarus and the Baltic States have played an important role in the business since the early days. Russian provided a common tongue and operating in a Russian-speaking online community opened up a much larger market for cybercriminals in the region. In self-preservation terms, the use of Russian also helped shield each participant’s nationality from local authorities or other criminals taking an interest in them.

A fundamental norm also quickly developed: don’t seek targets in the former Soviet Bloc. Part of this norm can be explained ideologically, stemming from Soviet era propaganda, in that wealthy “bourgeois” foreigners made more deserving targets than economically struggling “comrades” in Eastern Europe. There is also a practical explanation of not wanting to draw the wrath of local law enforcement and security agencies, especially when well insulated against foreign investigations. As Police Dog, one of the well-known CarderPlanet era cybercriminals, wrote: “If we didn’t make a mess on our own doorstep then our local cops and intelligence services didn’t have a problem with us”.

While these explanations have their place, there is almost certainly an economic component involved here as well. In the 1990s and early 2000s, some low-level scams seem to have targeted locals due to the ease of monetisation, avoiding the complications of moving money across borders. But as the West began to rapidly develop the Internet, comparatively wealthy victims and their data became available to those with the right skill sets. It was much more lucrative for Russian-speaking cybercriminals to invest their time and efforts in this new area, especially when Eastern Europeans were less likely to be using credit cards, online banking or purchasing products online and companies in the region were not adopting new technologies to the same degree as those in the West. Locals in former communist countries generally had far less money to steal in the first place, so it seemed only logical to focus attacks overseas.

But change is afoot: there is no longer a dearth of targets in the former Soviet Bloc. The widespread use of the Internet and other new technologies has taken hold in Eastern Europe. New wealth is also emerging. There is money to be made by cybercriminals seeking targets closer to home and there is no doubt that some have been taking advantage of the new opportunities. One Ukrainian researcher suggested that for the last few years Russian-speaking cybercriminals have begun to work “quietly” within their own part of the globe. Of course, there was a loud bang when those behind the Carberp malware began to target online bank accounts in the region, subsequently leading to a number of arrests. This case led to more open talk on forums about Eastern European targets, but many still operate cautiously.

The question now becomes whether recent geopolitical events will lead to the complete dismantling of the norm against carrying out attacks in the former Soviet Bloc. As tensions in the region continue, will the Russian-speaking cybercriminal community become increasingly disjointed and frayed? There is no doubt that politically motivated cyber attacks, whether state directed or not, have increased since the outbreak of war. Local security professionals that have spent much of their careers handling profit-driven cases are now having to shift some of their attention towards cyber espionage, sabotage, activism and terrorism. But some cybercriminals may also harness this opportunity to profit from citizens and institutions in “enemy” countries in the region, using this new political context as cover for their actions, just as the old Soviet propaganda could be used to justify targeting those in the West. Such actions are also likely to bring little heat from national law enforcement when the target is a (newly) unfriendly state’s citizens. Meanwhile, other cybercriminals might care little about politics and simply focus on business, being happy to collaborate with anyone and target any country in the region, as long as there is money to be made.

While norms can seem entrenched, the work of social scientists like Gerry Mackie suggests that if a convention ends, it does so quickly. The inherent nature of a norm is that it is widely agreed upon and applied by interdependent actors. As soon as a tipping point of dissatisfaction is reached, a norm can become unsustainable and almost immediately dissolve. Only time will tell whether the prohibition against targeting former Soviet countries will face this same swift fate.

December 27, 2014

A Wine Critic’s Guide to Defining Cybercrime

When we talk about cybercrime, there is often one point that is easy to gloss over. This is a foundational point: what actually is cybercrime? Like many definitional discussions, heading down this rabbit hole can lead to a quagmire. The purpose of this post is to walk through some of the issues involved, though it may not quite provide a path out of the hole…

Since early discussions of cybercrime, a key conceptual debate in demarcating what is (and is not) cybercrime has been whether cybercrime constitutes a new frontier of crime or simply existing types of criminality taking a new form in a novel online environment. In examining these issues, social scientists have taken a particular liking to wine metaphors. On one hand, David Wall has argued that cybercrime is a case of “new wine, but no bottles”, such is the novelty of cyberspace and the new crimes that it supports. On the other hand, Peter Grabosky wrote an article with the title “Virtual Criminality: Old Wine in New Bottles?”. Here the argument was that cybercrime is nothing particularly new:

‘[V]irtual criminality’ is basically the same as the terrestrial crime with which we are familiar. To be sure, some of the manifestations are new. But a great deal of crime committed with or against computers differs only in terms of the medium. While the technology of implementation, and particularly its efficiency, may be without precedent, the crime is fundamentally familiar. It is less a question of something completely different than a recognizable crime committed in a completely different way.

While the discourse has evolved, the essence of this debate remains. Some consensus has now formed around defining cybercrime broadly: not as a particular subset of crimes, but rather as a range of illegal activities taking place within the realm of cyberspace. Yet the distinction between new and old crimes continues to find a place within this approach. A number of scholars and practitioners differentiate between those cybercrimes that are “traditional” crimes facilitated and enhanced by new technologies (cyber-enabled or assisted crimes such as fraud or theft) and those cybercrimes that could not exist without these new technologies because computers or networks are usually the target (cyber-dependent or focused crimes – such as computer/network intrusion, DDoS attacks and the spread of malware). These types of crime are sometimes known as “pure” cybercrimes.

This distinction has proved popular among both scholars and those within the policy and law enforcement communities. But it is unclear how useful this divide is in understanding how cybercrime works and how cybercriminals operate in practice. At their heart, crimes are those things which have been criminalised by various legal systems – they do not necessarily have an independent theoretical underpinning. Laws might make specific acts against computers and networks illegal, but this often means the use of new tools against new targets has been criminalised rather than the behaviours behind them.

The older criminal motivations remain. For instance, intrusions and the spread of malware can facilitate theft or vandalism, while DDoS attacks might be the tool of an extortion ring or employed in support of a political agenda. In practice, it would be unusual for one of these “technical” crimes not to be linked to some broader motivation and a more traditional crime type (theft, fraud, extortion, harassment, vandalism, espionage and so on).

In legal terms, the distinction between traditional crimes in cyberspace and pure cybercrimes continues to be a relevant one because it allows the criminalisation of nefarious activities that might be difficult to prosecute under existing laws. But in understanding cybercrime in more “human” terms, the distinction appears less helpful. When trying to make sense of the actors involved in cybercrime, the motivation behind the crimes should probably matter more than legal technicalities. When focusing on motivation, the division between old and new cybercrimes might collapse in on itself.

Ultimately we have to stop and think about why cybercrime is of interest to us as a subject of study. If we are curious about the structure, organisation and characteristics of cybercriminals, then our true interest probably lies in how new technologies may (or not) be changing the nature of crime. Definitions should reflect this and may be suitably broad, conceptualising cybercrime along the lines of illegal behaviours that make use of electronic devices and networks. There may be no need to get bogged down sub-categorising new and old types of cybercrime.

Of course the danger with this “loose” approach is that cybercrime could come to mean almost any crime, as technology pervades so many aspects of modern life. So it would also be sensible to specify that the use of such technology is central, rather than tangential/peripheral to the crime. As the diffusion of technology continues so far unabated, whether this distinction itself will collapse over time remains to be seen. Then we will truly know whether we are drinking new or old wine, or some kind of blend.

May 26, 2014

“We Can’t Arrest Our Way Out”

Given the transnational nature of cybercrime, improving international cyberpolicing efforts is one major element for reducing the threat of cybercrime. But as one law enforcement agent told me, it’s not that simple: we “can’t arrest our way out” of this situation. Just as broader crime policy involves a range of nonpolicing solutions, cybercrime policy should be no different.

First, as with traditional forms of crime, the policy community should be having discussions about appropriate sentencing and potential avenues for rehabilitation. While some “conventional” criminals are making their way into cybercrime, those who are hackers or otherwise technically skilled present an interesting case. In the past, critics have complained that sentencing for cybercriminals was too lenient in comparison to “real” crimes like bank robbery. But as sentencing has become increasingly severe in certain jurisdictions, we should be careful not to move to the other extreme. (Different countries are at different stages of this process, with some still having very short cybercrime sentences.) Meanwhile, in terms of rehabilitation, some cybercriminals do possess a versatile skill set that can be very valuable for society, and could lead to their own gainful employment doing something they enjoy. But specialists need to investigate further how such reform could work effectively without greater risks of recidivism and without incentivizing cybercrime as an entry point into the IT industry.

Second, education about cybercrime is very important. As national and global societies, we are still learning what the threat is and how best to protect ourselves. The first point all users have to accept is that the Internet is not necessarily a safe place. There are unseen people out there who want to “get us” in a variety of different ways and for different reasons. That should inform the way individuals and organizations conduct themselves. There are no hard and fast rules, but just as people might be guarded when they walk around a rough-looking area at night, users should be looking around themselves online. They should be thinking about where they visit, what they click on, what pops up, what is sent to them, and so on. Users should make sure to lock their doors—in technology terms, by having basic protections like anti-virus software, security updates, firewalls, and strong and diverse passwords—and always approach online activity with a degree of caution.

Users should also be wary of the digital footprint they leave online—what personal information they choose to disclose, and whether they really trust various companies and organizations to protect it. Cybercrime is more than technical vulnerabilities; it’s just as much about leveraging available information against victims through “social engineering” (deceiving someone into revealing private information or performing certain actions). Victims might like to think they are the target of an elite cybercriminal using the latest exploits, but many supposed “hacks” might just be the result of poor password security or someone guessing your mother’s maiden name. The more breadcrumbs users leave around for cybercriminals, the easier their job.

But education is equally important on the perpetrator side. Some face a slippery slope of involvement, starting with borderline criminal activity like software cracking to more serious activities later on. It’s not hard to see why credit card fraud might seem like a game when you started your hacking career creating “cheats” for online games. It is vitally important that younger people are taught about the reality of their actions in the virtual world. It is something that many cybercriminals often realize too late: Their victims are real, as are the consequences of illegal behavior.

One hacker and former cybercriminal I’ve met with, who made a substantial amount of money from identity theft in the 2000s but was later jailed, sees things in a similar way. Now establishing a career in the IT sector, he hopes to one day run a workshop that goes into schools and identifies those who have the “hacking mindset”—the sharpness and intellectual adventurousness that defines hackers (both black and white hat). This hacker’s view was that these youths need to be acknowledged for their unusual talents and taught about the potential positive applications for their abilities. But just as importantly, they need to be warned about the dangerous paths not to go down and the consequences of such actions for their lives and others. Otherwise, they may find their own way forward, just as he did.

Finally, we have to acknowledge the significant economic factors behind a lot of cybercrime and think about how to counteract them. Cybercrime is no longer a “middle class” crime of well-educated and privileged adolescents. As Internet access and usage has become more widespread, there are now cybercriminals from all backgrounds and demographics (though anecdotally speaking a preponderance of males). While economic drivers might not explain the involvement of those from privileged backgrounds (aside from greed), for others the venture is certainly an alternative source of income or career path.

Internationally, cybercrime is a de facto method for less economically developed nations to “outsource” some of their crime to wealthier countries. Not that they are actively promoting this process, but countries with limited economic opportunities produce a lot of crime and sometimes a considerable amount of cybercrime (Nigeria being a good example). In Eastern Europe, there is a glut of technical talent being produced, but not always the best job market to support it; cybercrime can become a promising option for those open to criminality. It is a basic supply-and-demand problem.

Of course, there are complex issues of personality, individual backgrounds, and values here too. Economics will never explain everything. At one end of the spectrum, you will always find those who will not turn to crime under difficult circumstances and have clearly determined boundaries, regardless of their financial position. At the other end of the spectrum, there are those who will engage in illegal behavior despite being in a relatively strong economic position.

For those in the middle who are simply seeking financial security, greater investment in IT industries in various countries around the world may help solve part of the problem. One interesting example in this area comes from the leading security journalist and blogger Brian Krebs, who recently spoke with a major cybercriminal in Russia. This man was perturbed by his struggles to employ high-quality coders for his criminal operation. The problem was that the Russian IT sector had recently grown and many of the skilled coders the criminal wanted to employ had taken jobs in legitimate industry. In the end, this cybercriminal even had to seek licit employment himself.

Read more about cybercrime policy in “Electronic Ghosts“.